[strongSwan] iOS (iPad) connections without xauth

Martin Willi martin at strongswan.org
Wed Feb 27 09:05:32 CET 2013


Hi Daniel,

> if I change the authby to rsasig it seems as if the client still tries
> to enforce xauth:

I'm not sure, but I don't think there is a way to configure the native
iOS client to use certificate authentication only. It always wants to do
XAuth.

You may try the patch at [1]; it implements a simple XAuth mechanism
that does no authentication, but just returns SUCCESS. With the patch
applied, configure rightauth2=xauth-noauth.

> 01[CFG] checking certificate status of "***del*** E=daniel.fiederling at warema.de"
> 01[CFG]   fetching crl from 'http://cert.example.org/CertEnroll/myca.crl' ...
> 01[CFG]   using trusted certificate "DC=org, DC=example, CN=myca"
> 01[CFG] crl response verification failed

The daemon is unable to verify the CRL signature, therefore the CRL
can't be used to check for revoked certificates. Do you have the CRL
signer certificate and the full trust-chain installed on your system?
Does it have the CRLSigner X509 keyusage or the CA basic constraint flag
set?

> 01[LIB] LDAP bind to 'ldap:///CN=myca,[...]' failed: Can't contact LDAP server

Your LDAP URI does not contain any host information. Unfortunately there
is currently no way to configure a static LDAP host for your URIs in
strongSwan.

Regards
Martin

[1]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=fb780b21





More information about the Users mailing list